I think it depends on what you store. if you only store an ip address (for instance) and link all the personalisation to that would that be a problem? I would assume this only for personal data such as address information. I'm not an expect, so I'm curious about the answers...
– Ruben VerschuerenSep 15 '16 at 9:01

1

I'm in the process of formulating some advice. That being said, Sitecore's xDB has methods for deleting and removing contacts. Out of the Box, what Sitecore captures is pretty slim from PII pov. Unless you have implemented xDB to Identify Contacts and store an email address, which starts the trail, all you are recording is anonymous data, with zero PII. IPHONE address is collected, but that's not PII.
– Pete NavarraSep 21 '16 at 22:23

3 Answers
3

A big question, so I will answer just a slice of it, what Personally Identifiable Information IPII) does xDB store out of the box. I'm tempted to say nothing: as an implementer, you have the option to identify a contact, and to tag that contact with information via the contact facet mechanism. xDB ships with predefined facets for personal information such as name and email, and this is extensible so you can add facets to record whatever information you like. But this requires customization. Sitecore provides the data storage and API.

What Sitecore xDB will do out of the box is create a visitor cookie to track that device over time (SC_ANALYTICS_GLOBAL_COOKIE). The API provides a mechanism to "identify" the visitor, by tagging it with an arbitrary string value, such as an email address. Identifying a visitor allows XDB to link this cookie to other visitor cookies with the same identification, which in turn enables sharing personalization, analytics, and session state. Again, this requires an API call.

Without developer setup, Sitecore xDB records each page visit associated with the visitor cookie. Since Sitecore 8.1, IP addresses are hashed, and there is a configuration option to suppress retention altogether, or to select the hashing mechanism. See Sitecore's documentation on IP hashing.

Thanks @Dan Solovay - I think this is as close as we're going to get to a definitive answer, in terms of Sitecore's roadmap I will try and make contact with someone at Sitecore directly to discuss it.
– Steve NewsteadOct 4 '16 at 10:06

Great, @MangoPieFace. Please post what you hear as an answer to your question.
– Dan SolovayOct 4 '16 at 12:14

Found this which might clear something up / make things more complicated: What constitutes personal data? Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer **IP address**. from here: eugdpr.org/gdpr-faqs.html
– theyetimanAug 7 '17 at 10:52

Does Sitecore allow you to anonymize IP addresses / hash them somehow? Maybe this would get around the problem whilst still storing a unique ID for IP
– theyetimanAug 7 '17 at 10:53

There are several areas which you need to cover if you want your Sitecore solution to be GDPR compliant. The list below is prepared for typical Sitecore XP implementation with common modules like WFFM and EXM.

1. Secure personal data in rest and in motion

This covers database encryption and securing the communication. You will find a lot of useful information, how to secure your production environment in Sitecore 9 installation guide.

Sitecore stores personal data in:

Core database, if you use membership tables to store users profiles.

SQL Forms/WFFM db (if you use WFFM with SQL provider). Sitecore saves every submitted form to db, but you can disable this behaviour in forms settings, if you don't want to save personal data from the form fields.

Interactions, for example EXM events (open email, open landing page, etc) contain data used for placeholders like first name, last name and email address. Also you should check if personal data is not used in url (in query string parameters) cause it may all be tracked by Sitecore and stored in the collection.

Sitecore 9 note:
You can mark data as sensitive by using [PIISensitive] attribute on facets and facet's properties.
Such data will be removed if you call ExecuteRightToBeForgotten method for a contact, but also it will prevent Sitecore from indexing the data.

2. User rights

Right to be forgotten

Sitecore 8 prior 8.2 Update 7: Sitecore doesn't have documented API to remove data from MongoDB, but you can rather easily delete the data using standard MongoDB .Net provider shipped with the platform.
For updating Analytics Index you can use https://github.com/vhil/helpfulcore-analytics-index-builder, or use Sitecore.ContentSearch API to search and remove documents from the index.
If you removed user from list manager (there's no point to keep anonymous users without email address in the list), you will also need to update recipients count in list item using ListManager<TContactList, TContactData> class to keep your data consistent.
Additionally you need to update Contacts table in SQL Reporting database for ContactId equals _id from Contacts collection.

Sitecore 8.2 Update 7: You can execute new pipeline introduced in this version:

Right to data rectification

You should allow the user to change personal facets in Tracker.Current.Contact.
Alternatively in Sitecore 8 you will need to directly call ContactManager and ContactRepository to lock and update contact.

Very interesting and useful info. Indeed I succeed for Sitecore 8 in removing from xDB like this and trigger index rebuild. However the identifier is still in the reporting database in the contacts table, ExternalUser field. Any thoughts on how to update this, other then doing a custom sql query or a full reporting db rebuild?
– JoostFeb 28 '18 at 12:45

1

You are right, I updated my answer. Reporting db contains contact identifier and Ids of lists from List Manager in Contacts table. Primary key of this table is ContactId, which is equal to _id from Mongo Contacts collection. I would update a row for corrresponding ContactId and change "ExternalUser" to blank, set "IntegrationLevel" to 0 and update "ContactsTags" to "<tags/>".
– whuuMar 1 '18 at 9:20